Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
The Intel sign-in experience has changed to support enhanced security controls. If you sign in, click here for more information.
2706 Discussions

vPro in a Multi-Domain Environment


Hi All,

I just wanted to share the scenario and fix for similar types of hierarchy as we do. Currently, we have 2 domains that we deal with. and (for examples). In, we have our Enterprise CA which handles all the the domains certificate needs. In, we have

out SCCM SP1 Primary Site Server named We were able to exclude the 3rd party certificate as the source of the issue because

we could get the OOB SP to recognize, connect, id the machine as a vPro box, and start the provision. It looked like there was a problem with the Web Server certificate not being able to see the trusted root. Becuase of this, the process broke down as it was not able to issue a certification for the machine

to be provisioned.

In Amtopmgr.log, we saw the following "Missed device certificate. To provision device with TLS server or Mutual Auth mode, device certificate is required." So we referenced and saw the corresponding entry. At first we a certificate chain issue and something wrong with our PKI. While that was a problem, it wasn't the root cause. The issue is that our SCCM OOB Point needed access to act as a CA itself to have permissions to and revoke certificates. The problem is that we didn't anticipate the issue from our lab testing. We set up our lab as a single domain with the CA and the SCCM box on the same level.

Ultimately, the fix was the next entry below the "Missing device certificate..." entry. Upon inspection of the amtproxymgr.log, we saw ERROR: ICertRequest2->Submit failed: 0x80070005. The issue was that we needed to get our into the security group CERTSRV_DOM_ACCESS in We bounced the server and we were then able to provision machines pretty happily. I hope this helps someone down the road. Happy trails!

0 Kudos
0 Replies